Friday, 20 March 2009

A commonly revered part of any ISA Server installation is that of documenting the final solution, especially if this involves a complex firewall policy. After trying to document a few Enterprise Edition customer installations which contained several hundred firewall policy rules, it became apparent that we could do with some form of documentation utility or tool. This tool would aim to capture the key rule information and output this into a nice looking format and/or allow it to be stored electronically for future support purposes.

Rather than create an application from scratch, it made sense to start with the ISAInfo tool, as this provides an XML output which contains all of the raw ISA Server configuration information, including firewall and system policy rules.

After a bit of internal brainstorming, we realised that developing a completely new application to translate data from the ISAinfo XML file into an appropriate format was going to take quite some time. Hence, we decided it would make more sense to modify the display format that is provided with the original ISAInfo Viewer (ISAInfo.hta) in order to manipulate the output. I say “we” here, but I really mean “he” as full kudos for the actual development work goes to one of my esteemed Silversands colleagues, David Hughes, who did the actual development work. I was merely responsible for the inspiration, testing and tea making :)

With this approach in mind, David looked at the default ISAInfo.hta viewer in order to understand what changes would be necessary. The ‘problem’ with the default ISAInfo viewer is that the results are formatted for readable screen output. Hence, if you copy and paste the data, it is not really in an ideal format and requires quite a bit of manipulation to achieve something satisfactory (if you paste it directly into Word for example).

Therefore, by modifying the display format into data that is more copy and paste friendly, like comma separate values (CSV), we greatly improve our chances of obtaining the information in a much more suitable form. The choice of CSV is also an ideal data format for importing into Excel, and this provides an excellent document format for the firewall/system policy rules data.

So after amending the ISAInfo.hta as necessary, we now have a new ISAInfo viewer called ISAInfo2XLS.hta which outputs firewall and system policy information into an onscreen CSV format. Well, to be precise it’s actually a pipe character “|” separated value format really (PSV), but close enough! A copy of the customised viewer can be downloaded from here.

Please Note: The original ISAInfo.hta file is based upon version 1.0.2161.23 dated 19/07/2007 which is available as part of the ISAInfo.zip archive available from Jim Harrison’s www.isatools.org website here.

In order to understand the entire process of using the customised viewer, I have put together the following procedure with some sample screenshots and a quick walkthrough.

Generate the ISAInfo XML Output

Lets start with an example firewall policy as shown below. This contains a web publishing rule, a server publishing rule and an access rule:

In order to dump the configuration information, we need to run the ISAInfo.js utility as shown below:

One this has completed, we then have an XML output file which can be opened in the ISAInfo Viewer:

After opening this XML file in the default ISAInfo viewer, we can see the example firewall policy rule details are shown in the right hand pane of the viewer:

So, this is how things work with the default ISAInfo viewer.

Using the ISAInfo2XLS Viewer

Now, lets look at the display format when we use the ISAInfo2XLS viewer:

As can be seen, the rule information is now provided onscreen in PSV format. If we highlight this text and copy and paste the data into a notepad text file, we get the following:

If we now save this text file to a temporary location, we can open it using Excel. Excel with then automatically recognise the text file format and will run the Text Import Wizard.

Please Note: I am using Excel 2007 in my examples, but it should be a similar process with previous versions of Excel.

On Step 1 of the wizard, select the Delimited radio button as our data is in a separated, or delimited, format. Then click Next to continue to Step 2.

On Step 2 of the wizard, select the Other tick box and enter a pipe character (the vertical line ‘|’ key to the left of the ‘z’ key on UK QWERTY keyboards). Then click Next to continue to Step 3.

On Step 3 of the wizard, accept the defaults and select Finish.

You should then see the imported firewall policy rules, as shown below:

After a bit of basic formatting we get the following result, which looks great!

Repeating the above process with a set of System Policy rules results in a more complex, but equally impressive, spreadsheet:

So, there you go! You now have an Excel spreadsheet that contains all firewall or system policy rules, and the key top-level information for each rule.

I will be the first to admit that it’s not the slickest or most elegant tool in the world, but hopefully some of you will find it as useful as I have when it comes to documenting firewall and system policies – Enjoy!

UPDATE!

Based upon popular demand, please find an updated version of ISAInfo2XLS.hta now called ISAInfo2XLSv2.hta from here which has been tested with Windows 7, IE9 and Forefront TMG. Many thanks to Richard Knight for his efforts with this update!

Superb! Just as I was facing the task of documenting my rule set I found your article. Only one question, I tried the link to download the ISAInfo2XLS.hta file but it reports file not found. Any chance this could be updated? Thanks - Chunk

I have a probleb when using your ISAInfo2XLS.hta program. When I try to load ISAInfo dump in your modified ISAInfo Viewer application waits for a some time and output text "Sucessfully rendered C:\Documents and Settings\draven\Desktop\ISAInfo_proxy.xml" as a result. Nothing else information can be viewed at all.While the default ISAInfo Viewer loads and renders the SAME dump file successfully and dislays all the configuration info. Version of the ISAInfo.js script is 1.0.2161.23.

Yes, that would be great if we had something to work with IE9. I am working on a migration from ISA 2006 to TMG and am rebuilding all my rules for clean up and would like to have this utility for reference

As a suggestion, could you move the "update!" to the top of the original article? I missed it when I first read over this and only found it from your comment about it, looking at the comments to see if anyone had asked about a newer version.

It's perfectly clear but not when you're skim reading like I did. :)

This utility is incredibly handy, I had used it to document an ISA 2006 install and now a TMG install. Thanks very much for making this available.

Thanks, saved me a lot of work. Please be aware you have to check the output of the "array rules", I noticed that with server publishing rules the in TMG specified protocols are missing in ISAinfo Viewer.

About Me

I currently work as a Senior Security Consultant for Microsoft Consulting Services (MCS) in the UK. This position involves providing design, architectural and technical consulting to Microsoft's customers and partners. My specialities focus on the Microsoft Security, Identity and Access space with in-depth knowledge of technologies like Active Directory Certificate Services, DirectAccess and Forefront Edge (TMG/UAG). I am also a former Microsoft Most Valuable Professional (MVP).

Recommended RSS Feeds

Disclaimer

All data and information provided on this site is for informational purposes only. MSFirewall.org.uk makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.

The opinions expressed here and those providing comments are theirs alone, and do not reflect the opinions of Silversands, Microsoft or any employee thereof.